During the packing process, UPX removes certificates from the PE image. This is obvious - compressed executable will not be properly signed any longer.
But there is a IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (0x0080) flag in the PEHeader.OptionalHeader.DllCharacteristics field. This flag enforces the operating system to check if executable is properly signed - if not, it will not be loaded. UPX does not clear this flag, so packed executable will not work any longer.
So the solution is:
UPX should always clear IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header.
Regards
Log in to post a comment.
